From ndesai01@tampabay.rr.com Mon Feb 19 23:08:51 2001
Date: Mon, 19 Feb 2001 22:35:11 -0500
From: Neil Desai
To: Lance Spitzner
Subject: Entry for February Scan of the Month
Here are my thoughts on the attack:
### QUESTION 1: What is the operating system of the honeypot, how do you
know?
The OS is Windows NT4 Server with IIS4 or Windows 2K with IIS5. This is
given away by "GET /msadc/....../....../....../winnt/system32?". The
"msadc"
directory is installed by default with IIS4 as part of the default web
site.
It points to "(system drive)\Program Files\Common Files\system\msadc\".
You
can also tell by the output from the "dir c:\".
### QUESTION 2: What is the name of this attack?
It is the "Web Server File Request Parsing" vulnerability and it is
MS00-086. The basic problem is the way that IIS handles executables.
Normally you should only be able to request the actual executable but IIS
allows you to also send any associated commands or switches for the
executable as well. This allows for many different avenues of attack to
the
web server.
### QUESTION 3: What is the attack attempting to accomplish?
To issue commands to the underlying OS. In this case the attacker is
issuing
"dir c:\" and want to look at the contents of "C:\". By looking at the
information that was sent back to the attacker they can easily tell that
the
web root in on the same drive as the OS. The attacker could also use it
to
start and FTP session from the web server to his/her machine to get files
that would then be used for other things. The attacker could also
redirect
text to the homepage of the web server to deface the site. The attacker
is
using a Windows95 box with IE5.0 (User-Agent: Mozilla/4.0 (compatible;
MSIE
5.01; Windows95)..) The attacker is "lib.bvxttrip.org". This is my
assumption of what the user did:
1. Go to the main page of the web site.
2. Type the following in the URL line in the web browser after getting to
the main page (minus the quotes):
"172.16.0.106/msadc/....../....../....../winnt/system32/cmd.exe?/c+dir+c:\"
This got them the output:
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Tue, 26 Dec 2000 13:05:30 GMT
Connection: close
Content-Type: application/octet-stream
Volume in drive C has no label.
Volume Serial Number is 8403-6A0E
Directory of c:\
11/26/00 12:34p 0 AUTOEXEC.BAT
11/26/00 06:57p 322 boot.ini
11/26/00 12:34p 0 CONFIG.SYS
12/07/00 03:30p InetPub
12/07/00 03:12p Multimedia Files
12/20/00 05:13p 78,643,200 pagefile.sys
12/21/00 08:59p Program Files
12/21/00 08:59p TEMP
12/20/00 05:14p WINNT
9 File(s) 78,643,522 bytes
1,779,191,808 bytes free
Most of the data in the data is generated by the web browser and is
irrelevant to the actual attack.